I came across your library while investigating security of a widely deployed product using it. I found the overflow checks to be very lacking.

The calculations performed under

and can overflow even if length stays below UINT_MAX. For 32 bit applications both size_t and unsigned int are 32 bit values. As a result, this code can handle at most 0x40000000 array entries and at most 0x13B13B13 object entries before the allocation size overflows resulting in far too little memory being allocated. Once array/object data is written into this buffer, it overflows which could result in code execution.

Luckily, this allocation only happens in the second pass. Your code will allocate all the json_value instances in the first pass however, resulting in an out of memory error before this allocation can be reached. So with the current logic this buffer overflow vulnerability doesn’t seem exploitable. It might turn exploitable however if you change the allocation pattern or implement a streaming mode. So I sincerely recommend fixing this ASAP.

I’m not sure what the best course of action is here. gcc and clang compilers allow you to perform arithmetic operations with overflow checking. I suspect that you cannot expect these builtins to exist however. So in case where you don’t have them, maybe https://www.fefe.de/intof.html is of help to construct similar functionality.

It might be a good idea to also drop the current overflow checks which rely on sizes never growing by more than 8 at once. Instead, whenever you increase a length you should use addition with overflow checking.